Over the weekend I dealt with a misbehaving server. That experience reminded me that no matter how large or small your business is, you need a security disaster toolkit at the ready should any event occur. You’ll also need a disaster checklist that maps out processes and resources to speed recovery.
You have good Microsoft-specific tools to consider for your toolkit starting with Sysmon. Microsoft’s tool adds detailed information about process creations, network connections, and changes to file creation time. It remains resident in the system after and during reboots. You’ll want to review a sample Sysmon configuration on Github to start.
Then if you haven’t already, install the Local Administrator Password toolkit. Attackers gain access to a network through targeted phishing attacks. From there they use a variety of means such as Mimikatz or wdigest harvesting to gain hashes of a single local administrator password. In the past, admins often went down the easy road and used the same password throughout the network. Attackers know our habits and as a result use lateral movement from harvested passwords to then gain full access to the network. Install this now before an incident. If you are rebuilding your network after an incident, do so in a more secure manner by using this toolkit and take away the ability for attackers to move laterally via compromised passwords.
Another tool you might want to bookmark, but not necessarily download is the Microsoft Safety Scanner, which finds and removes malicious files from systems. To ensure you have the latest definitions, download it for each incident. The Safety Scanner only scans when manually triggered and is available for use for 10 days after being downloaded.